Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
I made a mistake in my last PR where I didn't change the command to make the final release archives correctly. It was putting the intel binaries into the arm archive.
I also addressed an issue that came up with code-signing while testing the release action. On ARM the liblzma dylib fails during the verification of code signing when running fossa because the library is not signed by either Apple or us:
dyld[11361]: Library not loaded: /opt/homebrew/opt/xz/lib/liblzma.5.dylib
Referenced from: <339C808F-7D5F-3897-BEE5-FF154705274E> /Users/ec2-user/arm_macos/fossa
Reason: tried: '/opt/homebrew/opt/xz/lib/liblzma.5.dylib' (code signature in <1E29DFAD-90C2-3D94-889D-7A212125B52B> '/opt/homebrew/Cellar/xz/5.4.6/lib/liblzma.5.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/opt/xz/lib/liblzma.5.dylib' (no such file), '/opt/homebrew/opt/xz/lib/liblzma.5.dylib' (code signature in <1E29DFAD-90C2-3D94-889D-7A212125B52B> '/opt/homebrew/Cellar/xz/5.4.6/lib/liblzma.5.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/opt/homebrew/Cellar/xz/5.4.6/lib/liblzma.5.dylib' (code signature in <1E29DFAD-90C2-3D94-889D-7A212125B52B> '/opt/homebrew/Cellar/xz/5.4.6/lib/liblzma.5.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/xz/5.4.6/lib/liblzma.5.dylib' (no such file), '/opt/homebrew/Cellar/xz/5.4.6/lib/liblzma.5.dylib' (code signature in <1E29DFAD-90C2-3D94-889D-7A212125B52B> '/opt/homebrew/Cellar/xz/5.4.6/lib/liblzma.5.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)
On my Intel system, the liblzma dylib seems to be built-in and present in /usr/local/lib which seems to be trusted. But on ARM it is from homebrew. I spent some time investigating solutions hoping to find one that would allow the homebrew liblzma to pass verification but could not. The solution I came up with is to disable the library verification using entitlements.plist. This is less than ideal, but I could not find another way to make this work that wouldn't involve changing the way we distribute our OS X binaries to bundle in liblzma.
You can find a copy of the signed and notarized arm binaries with the entitlements here.
Acceptance criteria
It puts the ARM binaries into the arm archive.
Testing plan
I pushed dummy tags v9.9.9 and used these to test the release action. I then downloaded and ran the fossa arm binaries on an EC2 instance. If whoever reviews this is using an apple silicon system it would be good if they could also test the signed binaries I link to above.
Risks
There is the additional entitlement for Mac OS X binaries on arm. I think the actual risk here is small, but it is a risk.
Checklist
[ ] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
[ ] If this PR introduced a user-visible change, I added documentation into docs/.
[ ] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
[ ] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
[ ] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
[ ] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.
Overview
I made a mistake in my last PR where I didn't change the command to make the final release archives correctly. It was putting the intel binaries into the arm archive.
I also addressed an issue that came up with code-signing while testing the release action. On ARM the liblzma dylib fails during the verification of code signing when running
fossabecause the library is not signed by either Apple or us:On my Intel system, the liblzma dylib seems to be built-in and present in
/usr/local/libwhich seems to be trusted. But on ARM it is from homebrew. I spent some time investigating solutions hoping to find one that would allow the homebrew liblzma to pass verification but could not. The solution I came up with is to disable the library verification usingentitlements.plist. This is less than ideal, but I could not find another way to make this work that wouldn't involve changing the way we distribute our OS X binaries to bundle in liblzma.You can find a copy of the signed and notarized arm binaries with the entitlements here.
Acceptance criteria
It puts the ARM binaries into the arm archive.
Testing plan
I pushed dummy tags
v9.9.9and used these to test the release action. I then downloaded and ran the fossa arm binaries on an EC2 instance. If whoever reviews this is using an apple silicon system it would be good if they could also test the signed binaries I link to above.Risks
There is the additional entitlement for Mac OS X binaries on arm. I think the actual risk here is small, but it is a risk.
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.